<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: CIPE statically compiled into kernel?
From: Roberto Nibali <ratz,AT,tac,DOT,ch>
Date: Tue, 23 Apr 2002 14:46:16 +0200
In-reply-to: <5.1.0.14.2.20020420235602.02c43250@pop.moriz.net>

Hi Roland,

> is it possible to compile CIPE statically into the kernel? how? :-)

Well technically you could make a patch to the kernel to link the
cipe code statically. But what do you gain? And it generally is a PITA
to do this since you need to patch subsystems of the kernel to export
symbols for the specific code and all the other fun you will encounter 
when doing that.

I could, however, also be mistaken and Olaf has already provided a
patch for linking CIPE statically into the kernel. I haven't checked
the newest code in a while.
 
> (We don't support LKMs on our production servers to prevent abuse...)

:) Yet again someone that thinks by disabling lkm he'd be safe. May I
suggest you read [1]? You gain _no_ security by disabling lkm! You need
either capabilities or type enforcement on loading modules. As long as
you have a mean to allow a potential fellow cracker to get r00t on your
box, you're unsafe. A very promising project for linux implementing a
clean API for such >C2 systems is [2]. Together with [3] you can even
start using it for productive systems.

I apologize to the other readers of the list for this slightely OT
glitch of mine. 

[1] http://www.phrack.com/show.php?p=58&a=7
[2] http://lsm.immunix.org/
[3] http://www.nsa.gov/selinux/

Best regards,
Roberto Nibali, ratz

-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc





<< | Thread Index | >> ]    [ << | Date Index | >> ]